information identifying a predetermined plurality of host computers as' hosts requiring security 
for packets transmitted between them, the method being carried [carded] out [be] by means of 
the instructions stored on said respective memories and includingthe steps of: 



(1) generating, by the first host computer, a first data packet for transmission to the 
second host computer, a portion of the first data packet including information 
representing an intemetv^ork address of the first host computer and intemetwork address 
of the second host computer; 

(2) in the first bridge computer, intercepting the first data packet and determining 
whether the first and second host computers are among the predetermined plurality of 
host computers for which security is required, and if not, proceeding to step 5, and if so, 
proceeding to step 3; . ^ 

(3) encrypting the first da^a pack^e( in the first bridge computer; 

(4) in the first bpdge computey^generating and appending to the encrypted first data 
packet an encap^mation header ,Wcluding: 

(a) /K^y management/mformation [identifying] providing a mechanism for 



identifying th,e predetermined encryption method, and 

address^eader representing the source and destination for the first 

7 / 

^^et^^he^AA^^ a modified first data packet; 

(5) transmitting the first data packet or the modified first data packet fi-om the first 

/ 

bridge computer via the intemetwork to the second computer network; 

/ 

(6) intercepting the^ first data packet or the modified first data packet at the second 
bridge computer; j 

(7) in the second bridge computer, if the encapsulation header has been appended to 

/ 

the first data packet, reading the encapsulation header, and determining therefi-om 

/ 

whether the first data packet was encrypted, [and if not, proceeding to step 10, 

/ 

and if so, proceeding to step 81 and if it is determined that the first data packet has 

been encrypted, proceeding to step 8 and otherwise proceeding to step 10 ; 

/ 

(8) in the^second bridge computer, determining which encryption mechanism was 
used to encrypt the first data packet; 

(9) decrypting the first data packet by the second bridge computer; 

(10) transmitting the first data packet from the second bridge computer to the second 
host computer[,] ; and 

(11) receiving the unencrypted first data packet at the second host computer. 



2 



2. (Once Amended) The method of claim 1, wherein the new address header for 
the modified first data packet includes the address of the second bridge computer. 




3. (Once Amended) The method of claim 2, wherein the new address header for 
the modified first data packet includes an identifier of the second bridge computer. 

/ 

4. (Once Amended) The method of claim 1 , wherein thejiew address header of 

/ 

the modified first data packet includes the address of the second host computer. 

/ 

5. (Once Amended) The method of claim 4, wherein the new address header for 

\/ 

the modified first data packet includes an identifier of the seco^'^ computer. 

6. (Once Amended) A system for/^tomatieally encrypting and decrypting data 

yy / \ 

packets transmitted firom a first host computepmya first computer network to a second host 
computer on a second computer network, includingj/^ 
a first bridge computer coupled to 



he firsj/^omputer network for intercepting data 
packets transmitted from said first compute^network, the first bridge computer including 
a first processor and a first memory storing^instructions for executing encryption of data 

packets according to a predetermined encryption/decryption mechanism; 

/ 

a second bridge computer coupled to the second computer network for 

intercepting data packets transmitted4o said second computer network, the second bridge 

/ 

computer including a second processor and a second memory storing instructions for 

/ 

executing decryption of the datapackets; 

said first host computemncluding a third processor and a third memory including 
instructions for transmitting a4irst [said] data packet from said first host to said second 
host; 

a first table stored4n said first memory including a correlation of at least one of 

the first host computer ^d the first network with one of the second host computer and the 

/ 

second network, respectively; 

/ 

instructions stored in said first memory for intercepting said first data packet 
before departure from said first network, determining whether said correlation is present 

in said first table,mnd if so, then executing encryption of said first data packet according 

/ 

to said predetermined encryption/decryption mechanism, generating a new address 
header including a mechanism for identifying said predetermined encryption/decryption 



mechanism and appending said new address header to said encrypted first data packet, 
thereby generating a modified first data packet, and transmitting said modified first data 
packet on to the second host computer; 

a second table storedl in said second memory including a correlation of at least one 
of the first host computer and the first network with onCof the second host computer and 
the second network, respectively; and j 

instructions stored in said second memory for intercepting s^d modified first data 

/ / \ 

packet upon arrival at said second network, determinhig whether saidXcorrelation is 

il / \ 

present in said second table, and if so^then exeeutiia(g decryption of saiu first data packet 

J / \ 
according to said predetermined encryption/decryption mechanism, andVransmitting the 

first data packet to the second host computer. 



7. (Once Amended) [The method c5f claim 6,] A system for automafeally 
encrypting and decrypting data packets transmitted fi-om a first host computer on a firat computer 



network to a second host computer on a second computer network, including: 

a first bridge computer coupled t@ the first computer network for intercepting data 
packets transmitted from said firstffcommxter network/the first bridge computer mcludmg 



a first processor and a first memoW st^ in A instructions for executing encryption of data 



packets according to a predeterrnined eqcryptioiy decryption mechanism; 

a second bridge computer coupled to tKe second computer network for 

J^; , ■ \ \ 7 

intercepting data packets traflsmitted to said second computer network, the second bndge 



computer including a second processor and a secohd-^nemory storing instructions for 

/ ' 

executing decryption of the data packets; 

I 

said first host computer including a third processor and a third memory including 
instructions for transmitting a first data packet from said first host to said second host; 

a first table stored in said first memory including a correlation of at least one of 

/ 

the first host computer and the first network with one of the second host computer and the 
second network, respectively; 

instructions^stored in said first memory for intercepting said first data packet 
before departure from said first network, determining whether said correlation is present 
in said first table/and if so, then executing encryption of said first data packet according 
to said predeterr/ined encryption/decryption mechanism, generating a new address 
header and appending said new address header to said encrypted first data packet, thereby 
generating a modified first data packet, and transmitting said modified first data packet 



on to the second host computer, wherein said new address Reader includes [the] 

intemetwork broadcast addresses of the first and second computer networks[.]; 

/ 

a second table stored in said second memory including a correlation of at least one 

r / 
of the first host computer and the first network with one of the second host computer and 



the second network, respectively; and 



/ 



instructions stored in said second memory for intercepting said modified first data packet 
upon arrival at said second network, determining whether said correJation is present in said 
second table, and if so, then executing' decryption of said first data packet according to said 
predetermined encryption/decryption mechanism, and transmitting theVirst data packet to the 
second host computer. 



8. The method of claim 7, wherein sail 

/ 

the second bridge computer. 



10. 




ew address header incudes an identifier of 



9. The method of claim 6, wherein said nfew address header includes the address of 
the second host computer. / 



The method of claim^9^wherein said new address header includes an identifier of 

/ • 

the second bridge computer. / 

/ 

1 1 . (Once Amended) A method for transmitting and receiving packets of data via 
an intemetwork fi-om a first host computer on a first computer network to a second host 
computer on a second computer network, [the first and second computer networks,] each of said 
first and second host compiler networks, each of said first and second host computers including 
a processor and a memory^for storing instructions for execution by the processor, each said 
memory storing at least \pn] a predetermined encryption/decryption mechanism and a 
source/destination table/identifying a predetermined plurality of sources and destinations 

requiring security for packets transmitted between them, the method being carried [carded] out 

/ 

by means of the instructions stored in said respective memories and including the steps of: 
/ 

(1) generating, by the first host computer, a first data packet for transmission to the 

/ 

second host computer, a portion of the first data packet including information 
representing/an intemetwork address of a source of the first data p acket and an 
intemetwork address of a destination of the first data p acket; 



5 



V 

(2) i^i the first host computer, determining whether the source and destination of the 
first data packet are among the predetermined pluraUty of sources and destinations 
identified in said source/destination table for which security is required, and if not, 
proceeding to step 5, and if so, proceeding to step 3; fj. - 

(3) encrypting the first dafa^acket in the first hos't computer; 

(4) in the first host computer, generating and appending to the encrypted first data 
packet an encapsulation header, including: f 

(a) key management informatfbn providing a mechanism for identifying the 
predetermined encryption method, wd 

(b) a new address header identifying the source and destination for the first 
data packet, hereby generating a modiMed first data packet ; 

(5) transmitting the first data packet or the Modified first data packet fi"om the first 
host computer via the iptemetwork tb the secona\^computer network; 

(6) in the seconjiiiost domputer, if the encapsmlation header has been appended to the 
first data packet/ reading the eji^apsulation header,\and determining therefi-om whether 
the first data^acketWas encJryp1;ed, and if the first data packet was not encrypted [ notl, 
ending the method, d^s^M\^6 j(CciQ first data packet wa\ encrypted , proceeding to step 7; 

(7) in the second hWt^^mput^r, determining whicr\^ encryption mechanism was used 
to encrypt the first data p^^i|t^^ 

(8) decrypting the first data packet by the second host Computer. 

■ ' \ 

12. (Once Amended) The method of claim 11, wherein the new address header 
for the modified first data packet includes internetwork broadcast addresses of the first and 
second computer networks. 



13. The method/of claim 11, wherein the source/destination table includes data 
identifying internetwork addresses of the first and second host computers. 



14. (Once Amended) A system for automatically encrypting and decrypting data 
packets transmitted fi*oni a first host computer on a first computer network [and having a first 
host computer on a first computer network and] , the first host computer having a_first processor 
and a first memory, vi^^ an internetwork to a second host computer on a second computei" 
network [and having a? second host computer on a second computer network and] , the second 
host computer havin^a second processor and a second memory, the system including: 



/ 

j 

/ 

/ 

security data stored in said first and second memories indicating that data packets 
meeting at least one predetej;mined criterion are to be encrypted; 

a predetermined encryption/decryption mechanism stored in said first and second 
memories; / 
a decryption key stored in said second memory; 

instmctions stored in sai4^first memory for determining whether to encrypt one or 

^ / .... 

more data packets, by determining whether said at least one predetermmed cntenon is 

met by said one or more data packets [data packet]; 

instructions stored in said first memory for executing encryption according to said 

predetermined encryption/decryption mechanism of at least a first [said data packet] one 

of said one or more data packets , when said ^t least one predetermined criterion is met, 

for generating a new address header flbr said first data packet and for appending an 

encapsulation header to saidiirst data packet and transmitting said first data packet to 

said second host, said ne^^ddress header idintifving broadcast addresses of the first and 

second computer networks, said encapsulation header including at least said new address 

header; and 

instructions stored ip^aid second memory for receiving said first data packet, 
determining whether it has been jeiicrypted by reference to said security data in said 
second memory, and if so tjiej/determining which encryption/decryption mechanism was 
used for encryption, and decrypting said first data packet by use of said decryption key. 

15. (Once Amended) The system of claim 14, wherein: 

said security data coniprises correlation data stored in each of said first and 
second memories [identifying at least one of said first and second memories] identifying 
at least one of said first host computer and said first network correlated with at least one 
of said second host computer and said second network; 

the system further /including instructions stored in said first memory for 
determining whether to encrypt data packets by inspecting for a match between source 

and destination addresses of said data packets with said correlation data. 

f 

t. 

It 

16. (Once Amendeci) A system for automatically encrypting data packets for 
transmission from a first host?computer on a first computer network to a second host computer 
on a second computer network, said first host computer including a first processor and a first 
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memory including^nstructions for transmitting said data packets from skid first host to said 
second host, the system including: / 

<* /r 

a' 

a bridge computer coupled to the first computer network for intercepting at least a 
first [said] data packet transmitted from said first computer network, said bridge 



V 

computer including a second processor and a second memory storing instructions for 

/ 

executing encryption of said first data packet according to a predetermined 

. - 

encryption/decryption mechanism; 



information stored in said second memory .Correlating at least one of the first host 
computer and the first network with.pne of the setond host computer and the second 
network, respectively; and ^ ' / 

instructions stored in said segond memory for intercepting said first data packet 

i 

before departure from said first network, determining whether said correlation is present, 
and if so, then executing encryptionrof^aidrfirst data packet according to said 
predetermined encryption/dec^jyption rneohanism, generating a new address header 
including a mechanism for identifying 'smd\predetermined encryption/decryption 
mechanism and appending said new header to said first data packet, thereby 

generating a modifie^^rst data packe/on to me second host computer. 



17. (Once Amended) / A method for transmitting packets of data via an 
internetwork fiz)m a first host Aomputer oh a first computer network to a second host computer 

on a second computer network, me^irst .computer networks including a first bridge computer, 

I ■ 

each of said first and second host computers and said bridge computer further including memory 
storing at least one predetermined encryption/decryption mechanism and information identifying 
a predetermined plurality of host computers as hosts requiring security for packets transmitted 

i • 

between them, the method being carried out according to the instructions stored in said 
respective memories and includingfthe steps of: 

(1) generating, by the first host computer, a first data packet for transmission to the 
second host computer, a portion of the first data packet including information 

representing an internetwork address of the first host computer and an internetwork 

/ 

address of the second host computer. 

(2) in the first bridge computer, intercepting the first data packet and determining 
whether the first and sicond host computers are among the predetermined plurality of 



host computers for vs^ich security is required, and if not, proceeding to step 5, and if so, 
proceeding to step 



/ 



(3) encrypting the first data packet in the first bridge computer; 

(4) in the first bridge computer, generating and appending to the first data packet an 
encapsulation header, including: / 

(a) key management informatiorlf providing a mechanism for identifying the 
predetermined encryption method^^nd 

(b) a new address header represeniing the source and destination for the data 
packet, thereby generating a/modl^fied first data packet; and 

(5) transmitting the first data p^(^et or the modified first data packet fi-om the first 
bridge computer via the intemetwork to the second computer network. 

..7 

18. (Once Amended) system for automancally decrypting data packets 

transmitted fi-om a first computer to a' seconil' computer, thelsvstem comprising: 

a bridge coupled to t^e s^ond computer for intercepting a data packet fi"om the 



first computer, the data packet paving an address heatier and a body, the address header 



including broadcast addresses of thefirgt and second computers, the bridge includmg a 



processor and a memory that stores instructions for decrypting data packets; 



information stored in thA mempj^ of the bridge correlating the first and second 




computers: and / 

instructions/stored in the memory for intercepting the data packet, determining 

whether the information stored in the memory of the bridge correlates the first and second 

/ 

computers, and if so, decrypting at least a portion of the data packet to generate a new 

data packet including a new address header, and transmitting the new data packet onto 

^ / 
the second computer. 



/ 



19. (Once Amended) The system of claim 18, wherein the data packet includes 
the new data pac/et in encrypted form. 



20. / (pvice Aknended) A system fof automatically decrypting data packets 
transjg^^tted from a first computer tjy^^^cond computer, the system comprising: 

a hrf^ge coupled to tb^^cond computer for intercepting a data packet from the 




first computpr, the oat^^cket including a header storing key management information 
providing"a^ecb^ni^^ for identifying an encryption method used to encrypt the data 



packet, the Jyndge including a processor and a memory that stores instructions for 
decrypting data packets; 




information stordd in the memory of the bridge correlating the first and second 



computers: and 

in struc t ions storeg in the memory for intercepting the data packet, determining 



whether the information atored in the memory of the bridge correlates the first and second 
and if so. decr^^^jting the data packet to generate a new data packet including a 



computers. 



new address header, and t -ansmitting the new data packet onto the second computer. 



21. The method of claim 18, wherein the new address header includes information 
indicating the first computer is a source of the new data packet and the second computer is a 
destination of the new data packet. / 

22. ' (Once Amended) \ A method for receiving data^packets from a first computer 
to a second corg^mter through a bndge including a processor and a memory that stores , 
instructions fOT decrypting data packets and information correlating the first and second 



computer 



method/being carried out according to instructions in the memory of the bridge 



and comprising :: 



iterceptiixfe a data packet from the first cbmputer to the second computer, the data 
packet iAcludine an address header and a bodyjthe address header including broadcast 
addresses of the first and second computers arid the body including address information 
representing an internetwork address of the first computer and an internetwork address of 
the second computer, wherein the address information is encrypted: 

determining whether the information stored in the memory of the bridge 
correlates the first and second computers, and if so, decrypting the data packet to generate 
a new data packet including a new add.ress header: and 

■ i 

transmitting the new data packet on to the second computer. 



23. (Once Amended) The rhethod of claim 22, wherein the body includes the 

V 

new data packet in encrypted form. 

/ 

24. (Oncfe Amended) A method for receiving data packets from a first computer 

/ 

to a second computer through a bridge including a processor and a memory that stores 
instructions for decrypting data packets and information correlating the first and second 
computers, the method being carried out according to instructions in the memory of the bridge 
and comprising: 
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intercepting a data packet from the first computer to the second computer, the data 



/f 



packet including information representing an internetwork address of the first computer 

and an internetwork address of the second computer; f 

*' 

determining whether the information stored in the memory of.the bridge 

/ 

correlates the first and second corriputers, and if so, decrypting theidata packet to generate 

a new data packet including a new address header; and ..f 

- / 
transmitting the new data packet on to the second cornbuter; 

wherein the data packet includes a header storing key management information providing 

a mechanism for identifying an encryption rnethod used to encrypt the new data packet. 



/ 




25. The y^iethod of ojaim 22, whelein the new address header includes information 
indicating the firj^ computer is a\ source of the new data packet and the second computer is a 
destination of/<^lQ^new data packek : . f 

^ 7 ' 

lended) A method of ^iferypting data packets, comprising: 
. packet from a source for destination, the data packet includmg a header 
section and a data section, the header section storing a source identifier and a destination 
identifier; . 

determining whether the data packet stfould be encr^ted upon reference at least one of 
the source and destination identifiers; f ^ 

if the data packet should be encrypted, encrypting the data packet to produce an 
encrypted data packet; and ^ 

generating a new address header and appending the new address header to the encrypted 
data packet, thereby generating a modified data packet; 

wherein the new address header includes a mechanism for identifying an encryption 

r / 
method used to generate the encrypted data packet. 

27. (Once Amended) / The-niethod of claim 26, fiirther comprising transmitting 
the modified data packet to the destination. 

/ 

28. The method of claim 26, wherein the determining whether the data packet should 
be encrypted comprises accessing stored information that indicates by presence or absence of the 
source identifier that data packe(s from the source should be encrypted. 



T 
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29. The method of claim 26. wherein the determining whether the data packet should 

^/ 

be encrypted comprises accessing stored information that indicates by presence or absence of a 

/ 

correlation between the source and destination identifiers that' data packets from the source for 
the destination should be encrypted. : / 

- / 

30. (Once Amended) The method of claim 26. wherein the encrypted data packet 

includes an encrypted data packet header section and^n encrypted data packet data section, the 

/ 

encrypted data packet header section including theiheader section of the data packet after 

i 

encryption and the encrypted data packet data section including the data section of the data 
packet after encryption! the modified data packet including a header portion storing the new 
address header and a data portion storing the encrypted data packet. 

3 1 . The method of claim 30, wherein the encrypted data packet header section stores 
the source and destination identifiers. / 

„ .L..^~ 

receivmg a datafpacket from a source for a destination, the data packet including a header 



~7 — ' — -'^ 

isfect 



section and a data^S€Ctioti/the header\?section storing a source identifier and a destination 
identifier: / 

determining whether the data packet should be encrypted upon reference to at least one of 
the source and destination identifiers: / ^ ^ 

if the data packet should ^e encrypted, encrypting the data packet to produce an 



encrypted data packet: and y 



generating a new addrels header and appending the new address header to the encrypted 
data packet, thereby generating a modified data packet: 

wherein the encrypted data packet includes an encrypted data packet header section and 
an encrypted data packet data section, the encrypted data packet header section including the 
header section of the data pWket after encryption and the encrypted data packet data section 
including the data section of the data packet after encryption, the modified data packet including 
a header portion storing the new address header and a data portion storing the encrypted data 

^ j ■ 

wherein the source is a host computer in a network and the header portion of the modified 
data packet stores an idintifier of the network. 
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33. (Once Amended) . A method of encrypting data packets, comprising: 
receiving a data packet from a source for ^destination, the data packet including a header 
section and a data section, the header section storing a source identifier and a destination 

identifier; # 

/ 

determining whether the data packet should be encrypted upon reference to at least one of 

the source and destination identifiers; ^ 

if the data packet should be encrypted, encrypting the data packet to produce an 
encrypted data packet; and , . ^ 

generating a new address header and appending the new address header to the encrypted 
data packet, thereby generating a modified data packet; 

wherein the encrypted data packet includes an encrypted data packet header section and 
an encrypted data packet data section, the encrypted data packet header section including the 
header section of the data packet after encryption and the encrypted data packet data section 
including the data section of thfe data packet a^ter encryption, the modified data packet including 
a header portion storing the nevA address header and a data portion storing the encrypted data 
packet; 

where! A the degfination is a host computer in a network and the header portion of the 

— \_y \ -I ■ 

modified data packet stores an identifier of the network. 



34. The method of claim 26, wherein the source is a host computer or a network. 

I 



35. The method of claim 26, wherein the destination is a host computer or a network. 

\ 

36. (Once Amended) Abomputer program product adapted for encryptmg data 
packets, comprising: | 

computer code that when executed causes the reception of a data packet fi"om a source for 

a destination, the data packet including L header section and a data section, and the header 

section storing a source identifier and afdestination identifier; 

I 

computer code that when executed causes the determination of whether the data packet 

I \ \ \ 

should be encrypted upon reference to at least ope of the source and destination identifiers; 

computer code that when execuled, if the data packet should be encrypted, causes the 
encryption of the data packet to producl an encrypted data packet; 

computer code that when executed causes the generation of a new address header and 
appends the new address header to the encrypted data packet, the new address header including a 
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mechanism for identifying an^encryption method used to generate the encrypted data packet, 
thereby generating a modified data packet: and 

a computer readable medium that stores the computer codes. /' 

37. The computer program product of claim 36, wherein the computer readable 

medium is a memory, random-access-memory, read-only-memory, disk drive, or CD-ROM. 

-J 

38. (Once Amended) A computer systeni'for encrypting data packets, 
comprising: ^ 

a processor; / 
a computer readable medium coupled to the processor and storing a computer program 
- comprising: 

compter code thVt when executed by the processor causes the processor to 
receive a^ta packet fror^a source' for a destination, the data packet including a header 
/ • section and ajdata section, and the header section storing a source identifier and a 
destination identifier; / 

computer code that wlien executed by the processor causes the processor to 
determine whether the data packet should be encrypted upon reference to at least one of 
the source and destination/identifiers; 

computer code ttiat when executed by the processor causes the processor to 
encrypt the data packet to produce an encrypted data packet when it is determined that 
the data packet should be encrypted; and 

computer code that when executed by the processor causes the processor to 
generate a new address header and append the new address header to the encrypted data 

packet, thereby generating a modified data packet; 

/ 

wherein^the new address header includes a mechanism for identifying an 

I 

encryption method used to generate the encrypted data packet. 

/ ■ ■ ■ 

39. The computer program product of claim 38, wherein the computer readable 

/ ' 

medium is a memory, random-access-memory, read-only-memory, disk drive, or CD-ROM. 
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40. ^ (Once Amended) A method of decrypting data packets, comprising: 
receiving a data packet from a source for a destination, the data packet including a header 
section and a data section, the header section storing a source identifier identifying a broadcast 
address of the source and a destination identifier identifying a broadcast address of the 
destination; ^ 

determining whether the data packet is isncrvpted upon reference to at least one of the 
source and destination identifiers: and . 

if the data packet is encrypted, decrypting the data packet to produce a decrypted data 



packet. 



41. The method of claim 40-. fiirther comBffising transmitting: the decrypted data 



noBf^isin 



packet to the destination. 



42. The method of claim 40, wherein the 



determining whether the data packet is 



encKq^ted comprises accessing stored information that indicates by presence or absence of the 
source identifier thaf data packets from the source are encrypted. 



43. , The method of claim 40, wherein the determining whether the data packet is 

encrypted comprises accessing stored information that indicates by presence or absence of a 

correlation^between the source and destination identifiers that data packets from the source for 
/ 

the destitiation are encrypted. 

. A - 



44. y/ (Q)nce Amendec 




The method of claim 40, wherein the data section of the 



data packed iii^ludes an jgtfcrypted header section and an encrypted data section, the encrypted 



header seirtjor/inckf^g a header of the decrypted data packet after encryption and the encrypted 
data sectioaificluding a body of the decrypted data packet after encryption.. 




45. The method of claim 44, wherein the encrypted header section stores the source 



and destination identifiers. 



. ^6. The method of claim^ 44, wherein the source 
header section stores an identifier of a host computer in the 




ork and the encrypted 
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47. The method of claim 44. wherein the destination is a network and the encrypted 
header section stores an identifier of a host computer in the network. 

48. The method of claim 40, wherein the source is a host computer or a network. 

49. The method of claim 40, wherein the destination is a host computer or a network. 

50. (Once Amended) A computer program product adapted for decrypting data 
packets, comprising: / ' . 

computer code that when executed causes the reception of a data packet from a source for 
a destination, the data packet including a header section and a data section, and the header 
section storing a source identifier identifying a brbadcagf^dress oflthe source and a destination 
identifier identifying a broadcast address of thie desHnation; 

computer code that when executedt^causes'^he/ iet^:lnination c)f whether the data packet is 



encrypted upon reference to at least one- of the source and destination identifiers: 

computer code that when executed and if the oiata^acket is encrypted, causes the 

decryption of the data packet to produce a decrypted data packet: and 
2l computer readable medium that stores the computer codes. 

/ 
/ 

5 1 . The computer program product of claim 50, wherein the computer readable 
medium is a memory, random-access-memory, read-only-memory, disk drive, or CD-ROM. 



52. (Once Amended) A computer system for decrypting data packets, 

comprising: 

a proces'sor: 
/ 

a computer readable medium coupled to the processor and storing a computer program 



comprising:-^ 

/ computer code that when executed on the processor causes the processor to 
receive a data packet from a source for a destination, the data packet including a header 
j section and a data section, the header section storing a source identifier identifying a 
broadcast address of the source and a destination identifier identifying a broadcast 
address of the destination: 
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computer code that when executed on the processor causes the processor to ^ 
^ determine whether the data packet is encrypted upon reference to at least one of the 
source and destination identifiers; and / 

■• ■ . ' * y 

computer code that when executed on the processor causes the processor to if the 
data packet is encrypted, decrypt the data packet to produce a decrypted data packet. 

53. The computer program product of claim 52, wherein the computer readable medium is a 
memory, 'random access memory, rea!d only memory, disk drive, or CD ROM. 

7 

54. A system for automatically encrypting and decrypting data packets transmitted from a 
first host computer on a first computer network, the first host computer haying a first processor 
and a first memory, via an internetwork to a second host computer on a second computer 
network, the second host computer having a second processor and a second memory, the system 
mcludmg: 

security data stored in said first and segond memories indicating that data packets 
meeting at least one predetermined criterion are to be encrypted; 

instructions storedUn said first^^mory ^r determining whether to encrypt one or 

^ / > Y 

more data packets, by determining whether Baid atyleast one predetermined criterion is 
met by said one or more data packets; 

instructions stored in said first memory for executing encryption of at least a first 

/ 

one of said one or more data packets according to a predetermined encryption/decryption 

,1 . ■ ' 

mechanism, when said at least one predetermined criterion is met, for generating a new 
address header for said first data packet and for appending an encapsulation header to 

said firs^ data packet and transmitting said first data packet to said second host, said 

/ 

encapsulation header including said new address header and a mechanism for identifying 

said predetermined encryption/decryption mechanism; 
/ 

instructions stored in said second memory for receiving said first data packet, 

i . ■ .... 

determining whether it has been encrypted by reference to said security data in said 

/ ^' 

second memory, and if so then determining which encryption/decryption mechanism was 

/ . 

used for encryption, and decrypting said first data packet by use of said 
encryption/decryption mechanism. 




55. The system as recited in claim 54, wherein said predetermined encryption/decryption 
mechanism/is provided in encrypted form within said encapsulation header. 
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56. The system of claim 15, wherein said correlation data^includes: 

encryption rules identifying source and destination^networks to and from which packets 

/ 

are to be encrypted; and 



host information indicating exceptions to the^ncryption rules. 

57. A system for automatically encrypting^ta packets for transmission from a first host 
computer on a first computer network to a second host computer on a second computer network, 
said first host computer including a first processor and a first memory including instructions for 
transmitting said data packets from said first^host to said second host, the system including: 

a bridge computer coupled to thV first computer network for intercepting at least a 
first data packet transmitted from said first computer network, said bridge computer 
including a second processor and a secolid mtemory storing instructions for executing 
encryption of said first data packet according to a predetermined encryption/decryption 
mechanism; 

f 

infornafition stored iA said second memory correlating at least one of the first host 




computer >mid the fif st^network withf^e of the second host computer and the second 
network,^re^peafivelj^ and " 

instractii^i^ stored in said second memory for intercepting said first data packet 
before departure from sai^ first network^ determining whether said correlation is present, and if 

so, then executing encryption of said ffrst data packet according to said predetermined 

/ ■ ' . , 

encryption/decryptionfmechanism, generating a new address header including the mtemetwork 

broadcast addresses of the first -and second computer networks and appending said new address 

I ■ - - 

header to said first data packet>:thereby generating a modified first data packet on to the second 
host computer. ^ ^ 



58. A computer program product adapted for encrypting data packets, comprising: 

I 

computer code that' when executed on a computer causes the computer to receiye a data 
I 

packet from a source for a destination, the data packet including a header section and a data 

section, and tlfe header section storing a source identifier and a destination identifier; 
i 

computer code that when executed on a computer causes the computer to determine 
/ 

whether the jgata packet should be encrypted upon reference to at least one of the source and 
destination identifiers; 
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computer code that when executed on a computer causes the compufer to, if the data 
packet should be encrypted, encrypt the data packet to produce an encrg^ted data packet; 

computer code that when executed on a computer causes the^mputer to generate a new 
address^eader storing at least one of a broadcast address associated with the source and a 

broadcast address associated with the destination, and append^e new address header to the 

_- ^ 

encrypted data packet, thereby generating a modified data^acket; and 

-^N / 

a computer readable medium that stores the computer codes. , 



/ 

59. A computer system for encrypting data packets, comprising: 
a processor; / 




a computer readable mediurri coupled to the processor storing a c(^mputer program 



comprising: '^^ 

computer code that when executed by the process^ causes' the processor to 
receive a data packet fi-om a source for a destination, the data packet including a header 
section and a data section, the header section storingVsmirce identifier and a destination 
identifier; 

computer code that when executed by the processor causes the processor to 
determine whether the data packet should be encrypted upon reference to at least one of 
the source and destination identifiers; 

computer . code that when executed by the processor causes the processor to if the 

y 

data packet should be encrypted, encrypt the data packet to produce an encrypted data 
packet; and / 

confputer code that when executed by the processor causes the processor to 
generate a^new address header storing at least one of a broadcast address associated the 
source and a broadcast? address associated with the destination, and append the new 
address^header to the encrypted data packet, thereby generating a modified data packet. 



60. (Once Amended) A method of doetypting data packets, comprising: 

receiying a'data packet fi-om^ffsource at a destination, the data packet including a header 

section and a d^a Action, th^^ader section storing a source identifier, a destination identifier. 

and encryption ihfeimati'oi^^ a mechanism for identifying an encryption method used to 

generate the data ja^^^et; and 

decn^ng the data packet to produce a decrypted data packet. 
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61 . The method as recited in claim 60. further comprising: 

determining from the header section^whether the data packet is encrypted; and 

wherein decrypting the data packet to produce a decrypted data packet is performed if it 
is determined that the data packet is en^crypted. 



62. - The method as recited iri^:laim 60, wherein decrypting the l^ata packet to produce a 
decrypted data packet comprises: ^ 

decrypting at least one of the data section of thedata packet and the encryption 
information. 



63. The method asTecited in claim 60, wherein the data section includes a packet header and 

.'I 

a packet body, and wherein decrypting the data section of the data packet comprises decryptmg 
at least one of the packet header and the packet body. 




64. (Once Amended) 
comprising: 



A computer program product adapted for decrypting data packets. 



computer code that when executed on a computer causes the computer to receive a data 
packet from a source at a dfestinationl the data packet including a header section and a data 
section, the header se/tiqn storing a source identifier, a destination identifier and encryption 
information includin^^^^mjbchan for identifying an encryption method used to generate the 
data packet: 

computer code that whenyfexecuted on a computer causes the computer to decrypt the data 
packet to produce a decrypted data packet: and 

a computer readable njfedium that stores the computer codes. 
65. The computer program product as recited in claim 64, further comprising: 



/ 

computerxode that when executed on a computer c 



the header section whether the data packet is em 




/ 



)mplit€ 



?q: anc 



uses the computer to determine from 



computer code that wh€n executed on a cokiputer causes the computer to decrypt the data 
packet if it is determined tha/the data packet is encrypted. 



20 



66. The computer progjj-am product as recited in claim 64, further comprising: 



colnputer code^^mat when executed on a computer causes the computer to decrypt the data 
packet using the encryption method. 



67. (Once Amended") A corr outer system for decrypting data packets, comprising: 



a processor; 
a computer readable medium 



comprismg: 



receive a data packet from a 



coupled to the processor storing a computer program 



computer code that when executed on the processor causes the processor to 



ource at a de/tinafcon. the data packet including a header 



section and a data section, tne header section stoMng a source identifier, a destination 
identifier and encryption information including a mechanism for identifying an 
encryption method used to generate the data packet; 

computer code thay when executed on the processor causes the processor to 
determine from the headac section whether the data packet is encrypted; and 

computer code that when executed on the processor causes the processor to if the 
data packet is encrypted, ^decrypt the data packet to produce a decrypted data packet. 



68. The computer system as recited in claim 67^ further comprising: 

/ 

computer code that when executed on axomputer causes the computer to decrypt the data 
packet using the encryption method. 

69. The system as recited in claim 1^, wherein the mechanism indirectly references said 
predetermined encryption/decryption mechanigrfi. 



70. 




The system as recited in^laim 20, wherein tl^e gfechanjsm indirectly identifies the 
encryption method. ' 



71 ■ The method as recited in claim 26, wherein the mechanism indirectly identifies the 

/ 

encryption method. 

/ . 

72. The computer program product as recited in claim 36, wherein the mechanism indirectly 
/ 

identifies the encryption method. ^ 
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